upatre | 6ab968b3d6552bbcc0cff1e3742fcd28959675eec65dcc13d518c2461bfbb971

Analysis

max time kernel
158s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe
Size

8KB
MD5

30c558fff967a1ee6a6ebe8156e012f0
SHA1

e804acd330d657cbded5c4147b043cf97af0c91c
SHA256

6ab968b3d6552bbcc0cff1e3742fcd28959675eec65dcc13d518c2461bfbb971
SHA512

a66a93bb6364f618c69c8c5879c5192d23a7204543ee7f64a2e31b7b64633444b42f9804d667d54abf578f7d909d68416a6110a7673907f44d209157829b6580
SSDEEP

192:9mUWKs/L1nKfzShZ2PaLDGqlqZRv+HiF7Sy:6K+LJKfzQYPaPVlcv+HiF73

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 5068	4844	NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe	88
PID 4844 wrote to memory of 5068	4844	NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe	88
PID 4844 wrote to memory of 5068	4844	NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.30c558fff967a1ee6a6ebe8156e012f0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
8KB

MD5
d4ce44ed1711dad41cbf9ef9f0d63cef

SHA1
3ecb4c613595a003b58a885509521f4305acc01c

SHA256
a93f6ade7f90943bd27ce2093ed98606470add1796575c51c61ab3980bba3b8a

SHA512
ab85403627d63250eb15928677c4501032642819188e3cf3a3c139d35d91b49607efd57d3ac9a0405925a4743d58db6ffcd08f81f551609a9b79ff1c9eeff487

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
8KB

MD5
d4ce44ed1711dad41cbf9ef9f0d63cef

SHA1
3ecb4c613595a003b58a885509521f4305acc01c

SHA256
a93f6ade7f90943bd27ce2093ed98606470add1796575c51c61ab3980bba3b8a

SHA512
ab85403627d63250eb15928677c4501032642819188e3cf3a3c139d35d91b49607efd57d3ac9a0405925a4743d58db6ffcd08f81f551609a9b79ff1c9eeff487

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
8KB

MD5
d4ce44ed1711dad41cbf9ef9f0d63cef

SHA1
3ecb4c613595a003b58a885509521f4305acc01c

SHA256
a93f6ade7f90943bd27ce2093ed98606470add1796575c51c61ab3980bba3b8a

SHA512
ab85403627d63250eb15928677c4501032642819188e3cf3a3c139d35d91b49607efd57d3ac9a0405925a4743d58db6ffcd08f81f551609a9b79ff1c9eeff487

Download Submit